pdf attack - eternal-todo.com
TRANSCRIPT
PDF ATTACKA Journey from the Exploit Kit to the Shellcode
Jose Miguel Esparza @EternalTodo
ā¢ Jose Miguel Esparza
ā¢ Senior Cybercrime Analyst at Fox-IT
ā Malware, Botnets, C&Cs, Exploit Kits, ā¦
ā¢ Security Researcher at Home ;p
ā PDF, NFC, ā¦
ā¢ http://eternal-todo.com
ā¢ @EternalTodo on Twitter
Who am I
Jose Miguel Esparza @EternalTodo
ā¢ A Journey from the Exploit Kit to the Shellcode
ā Exploit Kits: the source of evil
ā PDF basics
ā Some basic peepdf commands
ā Analyzing PDF exploits
ā¢ Extracting and analyzing shellcodes
ā Obfuscation of PDF files
Agenda
Jose Miguel Esparza @EternalTodo
ā¢ Linux distribution
ā Libemu / Pylibemu
ā V8 / PyV8
ā¢ Last peepdf version
ā Checkout from the repository or update!
Requirements
Jose Miguel Esparza @peepdf
ā¢ Best way to infect a computer
ā¢ Effective and fresh exploits
ā IE
ā Java
ā PDF
ā Flash
ā ā¦
ā¢ Average of 6-7 exploits
Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo
Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo
Exploit Kits: the source of evil
Java 7u11
Java Byte Verify
Java CMM
Java < 7u17
ā¢ Most used nowadays
ā BlackHole
ā Neutrino
ā RedKit
ā CoolPack
ā Styx
ā Nuclear
ā ā¦
Exploit Kits: the source of evil
KahuSecurity
Jose Miguel Esparza @peepdf
ā¢ Infection steps
ā Visit injected website / Click SPAM link
ā Redirection (maybe more than one)
ā Obfuscated Javascript
ā Plugin detection
ā Trying exploits
ā Done!
Exploit Kits: the source of evil
Jose Miguel Esparza @peepdf
ā¢ Traffic Distribution Systems (TDS)
ā Country specific attacks
ā TDS + Exploit Kits = WIN!
Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo
ā¢ Analyzing exploit kits
ā Avoiding researchers
ā¢ Filtering by User-Agent and/or Referer
ā¢ Blocking IPs
ā¢ One-time infections
ā¢ Country filters
Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo
ā¢ Analyzing obfuscated Javascript code
ā The āeasyā way
ā¢ Automatic toolsā Online services
Ā» Wepawet
Ā» JSUNPACK
ā Low-interaction honeyclient
Ā» Thug
ā¢ You can miss some info
Exploit Kits: the source of evil
Jose Miguel Esparza @EternalTodo
ā¢ Analyzing obfuscated Javascript code
ā The traditional way
ā¢ Executing different stages of JS codeā Beautify the code
ā Looking for the eval function
Ā» s/eval/print/
ā Hooking the eval function with Javascript engines
ā¢ Looking for exploits / shellcodes
ā¢ You cannot miss any detail
Exploit Kits: the source of evil
Jose Miguel Esparza @peepdf
ā¢ Analyzing obfuscated Javascript code
ā The traditional way
ā¢ Letās play ;)
Exploit Kits: the source of evil
Jose Miguel Esparza @peepdf
ā¢ PDF format?
ā¢ PDF structure?
ā¢ Objects?
ā¢ Filters?
PDF basics
Jose Miguel Esparza @EternalTodo
Header
Body
Cross reference table
Trailer
Jose Miguel Esparza @peepdf
ā¢ Bodyā Sequence of objects
ā Object typesā¢ Boolean: true false
ā¢ Numbers: 123 -98 4. -.002 123.6
ā¢ Strings: (hola) <686f6c61>ā 68 (h) 6f (o) 6c (l) 61 (a)
ā¢ Names: /Type /Filter
ā¢ Dictionaries: << /Type /Catalog /Root 1 0 R >>
ā¢ Arrays: [ 1.0 (test) <</Length 273>> ]
ā¢ Streams
PDF basics
Jose Miguel Esparza @EternalTodo
PDF basics
Jose Miguel Esparza @peepdf
ā¢ Object types
ā Indirect objects
ā¢ Reference: āobject_id generation_number Rā
PDF basics
Jose Miguel Esparza @EternalTodo
ā¢ Object types
ā Indirect objects
ā¢ Reference: āobject_id generation_number Rā
PDF basics
Jose Miguel Esparza @peepdf
ā¢ Tree structure References
ā¢ Root node
ā /Catalog
ā¢ If an element isnāt in the downward path from the /Catalog DOES NOT EXIST
PDF basics
Jose Miguel Esparza @EternalTodo
ā¢ You can use just a text editor!!
PDF basics
Jose Miguel Esparza @EternalTodo
āpeepdf sounds like the Swiss army knife of PDF security appsā
peepdf
http://peepdf.eternal-todo.com
Jose Miguel Esparza @EternalTodo
ā¢ Characteristics
ā Python
ā Command line
ā Interactive console (colorized)
ā Included in REMnux and BackTrack / Kali Linux
peepdf
http://peepdf.eternal-todo.com
Jose Miguel Esparza @EternalTodo
peepdf
http://peepdf.eternal-todo.com
Jose Miguel Esparza @EternalTodo
ā¢ Characteristics
ā Command file option
ā¢ Batch / Automation
ā XML output
ā Easily updated from repository
peepdf
http://peepdf.eternal-todo.com
Jose Miguel Esparza @peepdf
ā¢ Why peepdf?
ā Support for:
ā¢ Encryption
ā¢ Object Streams (compressed objects)
ā¢ Most used filters
ā¢ FlateDecode / LZWDecode Parameters
ā Javascript Analysis
ā Shellcode emulation
peepdf
Jose Miguel Esparza @peepdf
ā¢ Why peepdf?
ā Shows Suspicious Elements
ā Shows potential Vulnerabilities
ā Powerful Interactive Console
ā Easy extraction of objects / JS code / shellcode
ā PDF Obfuscation
ā Alive project!!
peepdf
Jose Miguel Esparza @peepdf
ā¢ Recent commits
ā s/Spidermonkey/PyV8/g
peepdf
Jose Miguel Esparza @peepdf
ā¢ Recent commits
ā vtcheck
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Console
ā¢ help
ā¢ log
ā¢ open
ā¢ reset
ā¢ quit
ā¢ exit
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commandsā Showing information
ā¢ Whole documentā info
ā tree
ā offsets
ā hash
ā bytes
ā metadata
ā changelog
ā save_version
ā errors
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Showing information
ā¢ Objectsā object
ā rawobject
ā stream
ā rawstream
ā references
ā hash
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Extracting information
ā¢ Output redirection is possibleā set
Ā» set output file path_to_my_file
Ā» set output variable myVar
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Extracting information
ā¢ Shell redirection is easier ;)ā Files
Ā» stream 6 > stream6_file
Ā» js_code 12 >> pdf_js_code_file
ā Variables
Ā» js_unescape variable myVar $> unescaped_sh
Ā» rawstream 5 $>> all_my_rawstreams_var
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Javascript functions
ā¢ js_code
ā¢ js_eval
ā¢ js_analyse
ā¢ js_unescape
ā¢ js_join
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Shellcode emulation
ā¢ sctestā pylibemu: libemu wrapper for Python
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commandsā Modification / Creation
ā¢ modifyā¢ filtersā¢ decodeā¢ encodeā¢ encode_stringsā¢ embedā¢ encryptā¢ malformed_outputā¢ createā¢ save
peepdf
Jose Miguel Esparza @peepdf
ā¢ Commands
ā Misc
ā¢ set
ā¢ search
ā¢ show
ā¢ xor
ā¢ xor_search
peepdf
Jose Miguel Esparza @EternalTodo
ā¢ How to identify malicious filesā Suspicious elements
ā¢ /Action
ā¢ /OpenAction
ā¢ /AA
ā¢ /AcroForm
ā¢ /Names
ā¢ /JavaScript
ā¢ /EmbeddedFile
ā¢ Known vulnerabilities
Analyzing PDF exploits
Jose Miguel Esparza @peepdf
ā¢ Most used vulnerabilities
ā LibTiff (TIFF images)
ā Collab.collectEmailInfo
ā Collab.getIcon
ā Doc.media.newPlayer
ā ā¦
Analyzing PDF exploits
Jose Miguel Esparza @peepdf
ā¢ How to identify malicious files
ā Obfuscation
ā¢ Strange codification in objects
ā¢ Encryption
ā¢ Malformed objects
ā¢ Embeded PDFs
ā¢ Javascript
Analyzing PDF exploits
Jose Miguel Esparza @EternalTodo
ā¢ How to identify malicious files
ā Patterns
ā¢ One page without content
ā¢ Big objects
ā¢ Gaps between objects (offsets)
ā¢ Strange structure
ā¢ Characteristic stringsā Metadata
ā Tools
Analyzing PDF exploits
Jose Miguel Esparza @EternalTodo
ā¢ How to identify malicious files
ā Malformed documents
ā¢ Headers
ā¢ Objects Tags
Analyzing PDF exploits
Jose Miguel Esparza @EternalTodo
ā¢ Practicing all the theory
ā¢ Not a sample exploit, a real one
ā¢ Extracting the interesting parts
ā¢ Extracting the shellcode
ā¢ Analyzing the shellcode
Analyzing real exploits
Jose Miguel Esparza @peepdf
ā¢ Playing with real exploits
Analyzing real exploits
Jose Miguel Esparza @peepdf
ā¢ Some developments based on peepdf
ā SWF Mastah (Brandon Dixon)
Using peepdf as a library
Jose Miguel Esparza @peepdf
ā¢ Remove characteristic stringsā¢ Split up Javascript code (/Names)ā¢ If the code is in:
ā String octal encoding (\143\172)ā Stream filters (not usual, parameters)
ā¢ Compress (object streams)ā¢ Encrypt (default password)ā¢ Malform (endobj, header)ā¢ Nest PDFs
PDF obfuscation
THANKS!!
Jose Miguel Esparzajesparza AT eternal-todo.com
http://eternal-todo.com
@EternalTodo